From 3ed9912e7241f3140ed04191873d75f273cdb736 Mon Sep 17 00:00:00 2001
From: aviralgarg05 <gargaviral99@gmail.com>
Date: Fri, 20 Feb 2026 00:53:08 +0530
Subject: [PATCH] fix(sandbox): harden image packaging integrity checks

---
 .github/actions/push-sandbox/action.yml | 8 ++++++++
 Dockerfile                              | 5 ++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/actions/push-sandbox/action.yml b/.github/actions/push-sandbox/action.yml
index 0b248f11a5b..db75ce10cd3 100644
--- a/.github/actions/push-sandbox/action.yml
+++ b/.github/actions/push-sandbox/action.yml
@@ -77,6 +77,14 @@ runs:
           --image google/gemini-cli-sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \
           --output-file final_image_uri.txt
         echo "uri=$(cat final_image_uri.txt)" >> $GITHUB_OUTPUT
+    - name: 'verify'
+      shell: 'bash'
+      run: |-
+        docker run --rm --entrypoint sh "${{ steps.docker_build.outputs.uri }}" -lc '
+          set -e
+          node -e "const fs=require(\"node:fs\"); JSON.parse(fs.readFileSync(\"/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli/package.json\",\"utf8\")); JSON.parse(fs.readFileSync(\"/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli-core/package.json\",\"utf8\"));"
+          /usr/local/share/npm-global/bin/gemini --version >/dev/null
+        '
     - name: 'publish'
       shell: 'bash'
       if: "${{ inputs.dry-run != 'true' }}"
diff --git a/Dockerfile b/Dockerfile
index b41ea003686..25d27d46c6d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -42,7 +42,10 @@ USER node
 # install gemini-cli and clean up
 COPY packages/cli/dist/google-gemini-cli-*.tgz /tmp/gemini-cli.tgz
 COPY packages/core/dist/google-gemini-cli-core-*.tgz /tmp/gemini-core.tgz
-RUN npm install -g /tmp/gemini-cli.tgz /tmp/gemini-core.tgz \
+RUN npm install -g /tmp/gemini-core.tgz \
+  && npm install -g /tmp/gemini-cli.tgz \
+  && node -e "const fs=require('node:fs'); JSON.parse(fs.readFileSync('/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli/package.json','utf8')); JSON.parse(fs.readFileSync('/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli-core/package.json','utf8'));" \
+  && gemini --version > /dev/null \
   && npm cache clean --force \
   && rm -f /tmp/gemini-{cli,core}.tgz